From 3cb2bbd1e2123195b569d5ae97b8ff89396b117b Mon Sep 17 00:00:00 2001 From: dd di cesare Date: Tue, 30 Aug 2022 17:48:51 +0200 Subject: [PATCH] Authorino Operator bundle Signed-off-by: dd di cesare --- .../0.4.0/bundle.Dockerfile | 20 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 23 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 20 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 18 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 43 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 10 + ...er-manager-metrics-service_v1_service.yaml | 17 + ...-operator-manager-config_v1_configmap.yaml | 17 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 10 + ...horino-operator.clusterserviceversion.yaml | 367 ++++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 18 + .../authorino.kuadrant.io_authconfigs.yaml | 1905 +++++++++++++++++ .../manager-config_v1_configmap.yaml | 17 + ...ator.authorino.kuadrant.io_authorinos.yaml | 247 +++ .../0.4.0/metadata/annotations.yaml | 14 + .../0.4.0/tests/scorecard/config.yaml | 70 + 16 files changed, 2816 insertions(+) create mode 100644 operators/authorino-operator/0.4.0/bundle.Dockerfile create mode 100644 operators/authorino-operator/0.4.0/manifests/authorino-authconfig-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/authorino-authconfig-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/authorino-manager-k8s-auth-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/authorino-manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/authorino-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/authorino-operator-controller-manager-metrics-service_v1_service.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/authorino-operator-manager-config_v1_configmap.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/authorino-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/authorino-operator.clusterserviceversion.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/authorino-proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/authorino.kuadrant.io_authconfigs.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/manager-config_v1_configmap.yaml create mode 100644 operators/authorino-operator/0.4.0/manifests/operator.authorino.kuadrant.io_authorinos.yaml create mode 100644 operators/authorino-operator/0.4.0/metadata/annotations.yaml create mode 100644 operators/authorino-operator/0.4.0/tests/scorecard/config.yaml diff --git a/operators/authorino-operator/0.4.0/bundle.Dockerfile b/operators/authorino-operator/0.4.0/bundle.Dockerfile new file mode 100644 index 00000000000..ca9f680083c --- /dev/null +++ b/operators/authorino-operator/0.4.0/bundle.Dockerfile @@ -0,0 +1,20 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=authorino-operator +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.22.0 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3 + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY manifests /manifests/ +COPY metadata /metadata/ +COPY tests/scorecard /tests/scorecard/ diff --git a/operators/authorino-operator/0.4.0/manifests/authorino-authconfig-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/authorino-operator/0.4.0/manifests/authorino-authconfig-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..6e94ba7ed57 --- /dev/null +++ b/operators/authorino-operator/0.4.0/manifests/authorino-authconfig-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-authconfig-editor-role +rules: +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs/status + verbs: + - get diff --git a/operators/authorino-operator/0.4.0/manifests/authorino-authconfig-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/authorino-operator/0.4.0/manifests/authorino-authconfig-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..e9f571b4ed1 --- /dev/null +++ b/operators/authorino-operator/0.4.0/manifests/authorino-authconfig-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-authconfig-viewer-role +rules: +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - get + - list + - watch +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs/status + verbs: + - get diff --git a/operators/authorino-operator/0.4.0/manifests/authorino-manager-k8s-auth-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/authorino-operator/0.4.0/manifests/authorino-manager-k8s-auth-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..ba77ebba56a --- /dev/null +++ b/operators/authorino-operator/0.4.0/manifests/authorino-manager-k8s-auth-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-manager-k8s-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/operators/authorino-operator/0.4.0/manifests/authorino-manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/authorino-operator/0.4.0/manifests/authorino-manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..d110e1be815 --- /dev/null +++ b/operators/authorino-operator/0.4.0/manifests/authorino-manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,43 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-manager-role +rules: +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs/status + verbs: + - get + - patch + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/operators/authorino-operator/0.4.0/manifests/authorino-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/authorino-operator/0.4.0/manifests/authorino-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..7df9d1fe979 --- /dev/null +++ b/operators/authorino-operator/0.4.0/manifests/authorino-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/operators/authorino-operator/0.4.0/manifests/authorino-operator-controller-manager-metrics-service_v1_service.yaml b/operators/authorino-operator/0.4.0/manifests/authorino-operator-controller-manager-metrics-service_v1_service.yaml new file mode 100644 index 00000000000..7affce17e5b --- /dev/null +++ b/operators/authorino-operator/0.4.0/manifests/authorino-operator-controller-manager-metrics-service_v1_service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + control-plane: controller-manager + name: authorino-operator-controller-manager-metrics-service +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager +status: + loadBalancer: {} diff --git a/operators/authorino-operator/0.4.0/manifests/authorino-operator-manager-config_v1_configmap.yaml b/operators/authorino-operator/0.4.0/manifests/authorino-operator-manager-config_v1_configmap.yaml new file mode 100644 index 00000000000..eaef3e65a36 --- /dev/null +++ b/operators/authorino-operator/0.4.0/manifests/authorino-operator-manager-config_v1_configmap.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: aac3a15d.authorino.kuadrant.io +kind: ConfigMap +metadata: + name: authorino-operator-manager-config diff --git a/operators/authorino-operator/0.4.0/manifests/authorino-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/authorino-operator/0.4.0/manifests/authorino-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..1c79fb7f01f --- /dev/null +++ b/operators/authorino-operator/0.4.0/manifests/authorino-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/operators/authorino-operator/0.4.0/manifests/authorino-operator.clusterserviceversion.yaml b/operators/authorino-operator/0.4.0/manifests/authorino-operator.clusterserviceversion.yaml new file mode 100644 index 00000000000..338b213ee54 --- /dev/null +++ b/operators/authorino-operator/0.4.0/manifests/authorino-operator.clusterserviceversion.yaml @@ -0,0 +1,367 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "operator.authorino.kuadrant.io/v1beta1", + "kind": "Authorino", + "metadata": { + "name": "authorino-sample", + "namespace": "authorino-operator" + }, + "spec": { + "clusterWide": true, + "image": "quay.io/kuadrant/authorino:latest", + "imagePullPolicy": "Always", + "listener": { + "port": null, + "tls": { + "certSecretRef": { + "name": "authorino-cert" + }, + "enabled": true + } + }, + "oidcServer": { + "port": null, + "tls": { + "certSecretRef": { + "name": "authorino-cert" + }, + "enabled": true + } + }, + "replicas": 1 + } + } + ] + capabilities: Basic Install + categories: Integration & Delivery + containerImage: quay.io/kuadrant/authorino-operator:v0.4.0 + createdAt: 2021-12-08T10-00-00Z + operators.operatorframework.io/builder: operator-sdk-v1.22.0 + operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 + repository: https://github.com/Kuadrant/authorino-operator + support: kuadrant + name: authorino-operator.v0.4.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: API to describe the desired protection for a service + displayName: AuthConfig + kind: AuthConfig + name: authconfigs.authorino.kuadrant.io + version: v1beta1 + - description: API to create instances of authorino + displayName: Authorino + kind: Authorino + name: authorinos.operator.authorino.kuadrant.io + version: v1beta1 + description: The operator to manage instances of Authorino + displayName: Authorino Operator + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAIAAAAiOjnJAAAHCklEQVR4nOzc72tWdQPH8e+tm/ecXGNO77mb3beZLgtkDxpCgT4IBBFqJT1YRqFS5oMS/BG5ioqhUc3IFKwHpqHSg9qDsCwIQeiBQoEotISyzcwa6bI5Nlyms8X4Lp1u1zzXub6f8/2ea+/XH3DO58GbXeec69opGhgYMIBrE3wPQGEiLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxIEBYkCAsShAUJwoIEYUGCsCBBWJAgLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxIEBYkCAsShAUJwoIEYUGCsCBR5HtAJI89uqytvT2fI2zetHnxkiXuFgn1d3eead44s3FLUXml7y3xpSOstvb24998m88Rurq63M0R6u/uPPlkw6VjZy+dbJi7uyW9bfFRGJBrVRljLh07++Mrz/heFB9hhWJ4VVbvgdZTL6z0Oio+wgrCyKqs7g+/+mX7855G5YWw/MtWldW5bf/5lh2Jj8oXYXk2dlVWR/POvtbDCY5ygLB8ilKVMeZq1+X2Dev7uzuT2uUAYXkTsSrrSltv+/o0XcgTlh85VWVd/PLUufdfU45yibA8iFGV1bF5X1outggraX2th+NVZZ1uesn1IgnCSlRf6+EfVj4duyr7RD4VT7YIKzm2qqtdl/M8Tue2/X/+dMLRKBXCSoirqqzTTc85OY4OYSXBbVX2DrH7iw9cHU2BsOScV2X9/NZ2twd0i7C0RFXZR6Yhf4dIWEK6qqyO5p3Bfs9DWCrqqux3iGf3btUdPx+EJZFAVdaFzw6pTxEPYbmXWFUhX2kRlmNJVmX9+t7exM4VHWG5lHxV9o9Wz5EDSZ4xCsJyxktV1rmP9iV/0rERlhseq7L/zxPacwfCcsBvVdbvH+/yePaRCCtfIVQ1GNbnB/0OuAlh5SWQquzvtIL6LQ1hxRdOVVb3oU98T7iOsGIKrarQPg0JK44Aq7KfhuHcGxJWzsKsyuo+2OJ7whDCyk3IVRljeo4f9T1hCGHl4HzLju8eXBVsVcaYi0dDuTEkrKjOt+w40xji7wiGu9LWG8hlFmFFkoqqrL4TX/ueYAgrkhRVNXiZdfSI7wmGsG4tXVUZY/7I7/XSrhDWWFJX1eBlVsdvvicYwhpLGquyj0l9TzCElVVKq7JCeNURYY0i1VUZY/p7LvieQFgjpL2qwev371t9TyCsGxVAVYPX7709vicQ1jCFUVUgCGtIIVUVwqMswjIFVpUx5q/ei74nEFbBVRWI8R4WVYmM67CoSmdchwWdcR3W9IY1M5vX+F5RmMZ1WLSlM97Doi0RwjKF19aEzBTfEwjrH4XU1uQ5c3xPIKxhCqkt7wjrBoXRVnGmzPcEwhqhANqafGet7wmENZq0t1VUNtX3BMLKItVtldYu9D2BsLJLaVsldVW+JxjCuoU0tlVc/R/fEwxh3Vrq2grhIRZhRZKutsrmL/A9wRBWVClqq3TePb4nGMLKQSraKq7JFJVX+l5hCCs30xvW3PXprokVk3wPyWrK/Hm+JwwhrNyU1i68Y8+7wbZVdvd83xOGEFbOQm6rfHGD7wlDCCuOMNsqqasK5AKLsOILsK1p9y/2PeE6woovtLbKFz3ke8J1hJWXcNoqqav6922h3BISlgOBtBXU5yBhuRFCW9MeXuXx7CMRlht+28rU14ZzP2gRljMe25rxyPLkTzo2wnLJS1vFNZmyBfVJnjEKwnIs+bb++9SKxM4VHWG5l2RbxTWZ6Q0h/uaCsCQSa2vqA4vUp4iHsFQSaGtixaSqFRt0x88HYQmp26puXB3aU4ZrCEtL11awV1cWYcmJ2vr/s2vdHtAtwkqC87am3De7fMnjro6mQFgJcdvWrKY3nRxHh7CS46qtynVLg/qFzKgIK1G2rXxer1BSV/W/tW84HSVBWEkrrV04d3dL7LZmNb3qepEEYXlQVF4Zr63ql5eH8IqiKAjLjxhtZeprZzzxonKUS4TlTU5tFddkbt/0jn6UM4TlU8S2JlZMmrP17WC/vRkVYXkWpa3qxtVpubS6hrD8G7utynVLQ/5OMBvCCkK2tsqX3ZuKp1YjEVYoRraVqa+d/foer6PiI6yADG+rpK4qXbeBNynyPSCSmrxf2FpRUeFoi5Zt60zzxpmNW9J1G3iTfw0MDPjegALERyEkCAsShAUJwoIEYUGCsCBBWJAgLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxIEBYkCAsShAUJwoIEYUGCsCBBWJAgLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxI/B0AAP//uLJ9vDn6iowAAAAASUVORK5CYII= + mediatype: image/png + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - '*' + resources: + - clusterrolebindings + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - '*' + resources: + - clusterroles + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - '*' + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - '*' + resources: + - configmaps/status + verbs: + - delete + - get + - patch + - update + - apiGroups: + - '*' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - '*' + resources: + - rolebindings + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - '*' + resources: + - roles + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - '*' + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - '*' + resources: + - serviceaccounts + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - '*' + resources: + - services + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - '*' + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - '*' + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update + - apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos/finalizers + verbs: + - update + - apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos/status + verbs: + - get + - patch + - update + serviceAccountName: authorino-operator + deployments: + - label: + control-plane: authorino-operator + name: authorino-operator + spec: + replicas: 1 + selector: + matchLabels: + control-plane: authorino-operator + strategy: {} + template: + metadata: + labels: + control-plane: authorino-operator + spec: + containers: + - args: + - --leader-elect + command: + - /manager + image: quay.io/kuadrant/authorino-operator:v0.4.0 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 200m + memory: 300Mi + requests: + cpu: 200m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true + serviceAccountName: authorino-operator + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: authorino-operator + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - Authorino + - Authorino Operator + - Kuadrant + links: + - name: Authorino Operator + url: https://github.com/Kuadrant/authorino-operator + - name: Authorino + url: https://github.com/Kuadrant/authorino + maintainers: + - email: dcesare@redhat.com + name: Didier Di Cesare + - email: eastizle@redhat.com + name: Eguzki Astiz Lezaun + - email: mcassola@redhat.com + name: Guilherme Cassolato + maturity: alpha + minKubeVersion: 1.8.0 + provider: + name: Authorino + version: 0.4.0 + replaces: authorino-operator.v0.0.1 diff --git a/operators/authorino-operator/0.4.0/manifests/authorino-proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/authorino-operator/0.4.0/manifests/authorino-proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..e91ff23bc55 --- /dev/null +++ b/operators/authorino-operator/0.4.0/manifests/authorino-proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/operators/authorino-operator/0.4.0/manifests/authorino.kuadrant.io_authconfigs.yaml b/operators/authorino-operator/0.4.0/manifests/authorino.kuadrant.io_authconfigs.yaml new file mode 100644 index 00000000000..1742c9abcc6 --- /dev/null +++ b/operators/authorino-operator/0.4.0/manifests/authorino.kuadrant.io_authconfigs.yaml @@ -0,0 +1,1905 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + name: authconfigs.authorino.kuadrant.io +spec: + group: authorino.kuadrant.io + names: + kind: AuthConfig + listKind: AuthConfigList + plural: authconfigs + singular: authconfig + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Ready for all hosts + jsonPath: .status.summary.ready + name: Ready + type: string + - description: Number of hosts ready + jsonPath: .status.summary.numHostsReady + name: Hosts + type: string + - description: Number of trusted identity sources + jsonPath: .status.summary.numIdentitySources + name: Authentication + priority: 2 + type: integer + - description: Number of external metadata sources + jsonPath: .status.summary.numMetadataSources + name: Metadata + priority: 2 + type: integer + - description: Number of authorization policies + jsonPath: .status.summary.numAuthorizationPolicies + name: Authorization + priority: 2 + type: integer + - description: Number of items added to the authorization response + jsonPath: .status.summary.numResponseItems + name: Response + priority: 2 + type: integer + - description: Whether issuing Festival Wristbands + jsonPath: .status.summary.festivalWristbandEnabled + name: Wristband + priority: 2 + type: boolean + name: v1beta1 + schema: + openAPIV3Schema: + description: AuthConfig is the schema for Authorino's AuthConfig API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Specifies the desired state of the AuthConfig resource, i.e. + the authencation/authorization scheme to be applied to protect the matching + service hosts. + properties: + authorization: + description: Authorization is the list of authorization policies. + All policies in this list MUST evaluate to "true" for a request + be successful in the authorization phase. + items: + description: 'Authorization policy to be enforced. Apart from "name", + one of the following parameters is required and only one of the + following parameters is allowed: "opa", "json" or "kubernetes".' + oneOf: + - properties: + name: {} + opa: {} + required: + - name + - opa + - properties: + json: {} + name: {} + required: + - name + - json + - properties: + kubernetes: {} + name: {} + required: + - name + - kubernetes + properties: + cache: + description: Caching options for the policy evaluation results + when enforcing this config. Omit it to avoid caching policy + evaluation results for this config. + properties: + key: + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + json: + description: JSON pattern matching authorization policy. + properties: + rules: + description: The rules that must all evaluate to "true" + for the request to be authorized. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - value + properties: + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input + authorization JSON built by Authorino along the + identity and metadata phases. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - rules + type: object + kubernetes: + description: Kubernetes authorization policy based on `SubjectAccessReview` + Path and Verb are inferred from the request. + properties: + groups: + description: Groups to test for. + items: + type: string + type: array + resourceAttributes: + description: Use ResourceAttributes for checking permissions + on Kubernetes resources If omitted, it performs a non-resource + `SubjectAccessReview`, with verb and path inferred from + the request. + properties: + group: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + name: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + namespace: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + resource: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + subresource: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + verb: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + type: object + user: + description: User to test for. If without "Groups", then + is it interpreted as "What if User were not a member of + any groups" + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + required: + - user + type: object + metrics: + default: false + description: Whether this authorization config should generate + individual observability metrics + type: boolean + name: + description: Name of the authorization policy. It can be used + to refer to the resolved authorization object in other configs. + type: string + opa: + description: Open Policy Agent (OPA) authorization policy. + properties: + allValues: + default: false + description: Returns the value of all Rego rules in the + virtual document. Values can be read in subsequent evaluators/phases + of the Auth Pipeline. Otherwise, only the default `allow` + rule will be exposed. Returning all Rego rules can affect + performance of OPA policies during reconciliation (policy + precompile) and at runtime. + type: boolean + externalRegistry: + description: External registry of OPA policies. + properties: + credentials: + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. + properties: + in: + default: authorization_header + description: The location in the request where client + credentials shall be passed on requests authenticating + with this identity source/authentication mode. + enum: + - authorization_header + - custom_header + - query + - cookie + type: string + keySelector: + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value + is the prefix of the client credentials string, + separated by a white-space, in the HTTP Authorization + header (e.g. "Bearer", "Basic"). When used with + `custom_header`, `query` or `cookie`, the value + is the name of the HTTP header, query string parameter + or cookie key, respectively. + type: string + required: + - keySelector + type: object + endpoint: + description: Endpoint of the HTTP external registry. + The endpoint must respond with either plain/text or + application/json content-type. In the latter case, + the JSON returned in the body must include a path + `result.raw`, where the raw Rego policy will be extracted + from. This complies with the specification of the + OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + type: string + sharedSecretRef: + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + ttl: + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + type: object + inlineRego: + description: Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, + set by Authorino to "false" by default (i.e. requests + are unauthorized unless changed). The Rego document must + NOT include the "package" declaration in line 1. + type: string + type: object + priority: + default: 0 + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to enforce this authorization + policy. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - value + properties: + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + required: + - name + type: object + type: array + denyWith: + description: Custom denial response codes, statuses and headers to + override default 40x's. + properties: + unauthenticated: + description: Denial status customization when the request is unauthenticated. + properties: + body: + description: HTTP response body to override the default denial + body. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + code: + description: HTTP status code to override the default denial + status code. + format: int64 + maximum: 599 + minimum: 300 + type: integer + headers: + description: HTTP response headers to override the default + denial headers. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + required: + - name + type: object + type: array + message: + description: HTTP message to override the default denial message. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + type: object + unauthorized: + description: Denial status customization when the request is unauthorized. + properties: + body: + description: HTTP response body to override the default denial + body. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + code: + description: HTTP status code to override the default denial + status code. + format: int64 + maximum: 599 + minimum: 300 + type: integer + headers: + description: HTTP response headers to override the default + denial headers. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + required: + - name + type: object + type: array + message: + description: HTTP message to override the default denial message. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + type: object + type: object + hosts: + description: The list of public host names of the services protected + by this authentication/authorization scheme. Authorino uses the + requested host to lookup for the corresponding authentication/authorization + configs to enforce. + items: + type: string + type: array + identity: + description: List of identity sources/authentication modes. At least + one config of this list MUST evaluate to a valid identity for a + request to be successful in the identity verification phase. + items: + description: 'The identity source/authentication mode config. Apart + from "name", one of the following parameters is required and only + one of the following parameters is allowed: "oicd", "apiKey" or + "kubernetes".' + oneOf: + - properties: + credentials: {} + name: {} + oauth2: {} + required: + - name + - oauth2 + - properties: + credentials: {} + name: {} + oidc: {} + required: + - name + - oidc + - properties: + apiKey: {} + credentials: {} + name: {} + required: + - name + - apiKey + - properties: + apiKey: {} + credentials: {} + name: {} + required: + - name + - mtls + - properties: + credentials: {} + kubernetes: {} + name: {} + required: + - name + - kubernetes + - properties: + anonymous: {} + credentials: {} + name: {} + required: + - name + - anonymous + - properties: + anonymous: {} + credentials: {} + name: {} + required: + - name + - plain + properties: + anonymous: + type: object + apiKey: + properties: + allNamespaces: + default: false + description: Whether Authorino should look for API key secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. + type: boolean + selector: + description: Label selector used by Authorino to match secrets + from the cluster storing valid credentials to authenticate + to this service + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + required: + - selector + type: object + cache: + description: Caching options for the identity resolved when + applying this config. Omit it to avoid caching identity objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + credentials: + description: Defines where client credentials are required to + be passed in the request for this identity source/authentication + mode. If omitted, it defaults to client credentials passed + in the HTTP Authorization header and the "Bearer" prefix expected + prepended to the credentials value (token, API key, etc). + properties: + in: + default: authorization_header + description: The location in the request where client credentials + shall be passed on requests authenticating with this identity + source/authentication mode. + enum: + - authorization_header + - custom_header + - query + - cookie + type: string + keySelector: + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the + prefix of the client credentials string, separated by + a white-space, in the HTTP Authorization header (e.g. + "Bearer", "Basic"). When used with `custom_header`, `query` + or `cookie`, the value is the name of the HTTP header, + query string parameter or cookie key, respectively. + type: string + required: + - keySelector + type: object + extendedProperties: + description: Extends the resolved identity object with additional + custom properties before appending to the authorization JSON. + It requires the resolved identity object to always be of the + JSON type 'object'. Other JSON types (array, string, etc) + will break. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + required: + - name + type: object + type: array + kubernetes: + properties: + audiences: + description: The list of audiences (scopes) that must be + claimed in a Kubernetes authentication token supplied + in the request, and reviewed by Authorino. If omitted, + Authorino will review tokens expecting the host name of + the requested protected service amongst the audiences. + items: + type: string + type: array + type: object + metrics: + default: false + description: Whether this identity config should generate individual + observability metrics + type: boolean + mtls: + properties: + allNamespaces: + default: false + description: Whether Authorino should look for TLS secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. + type: boolean + selector: + description: Label selector used by Authorino to match secrets + from the cluster storing trusted CA certificates to validate + clients trying to authenticate to this service + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + required: + - selector + type: object + name: + description: The name of this identity source/authentication + mode. It usually identifies a source of identities or group + of users/clients of the protected service. It can be used + to refer to the resolved identity object in other configs. + type: string + oauth2: + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the same + namespace, that stores client credentials to the OAuth2 + server. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + tokenIntrospectionUrl: + description: The full URL of the token introspection endpoint. + type: string + tokenTypeHint: + description: The token type hint for the token introspection. + If omitted, it defaults to "access_token". + type: string + required: + - credentialsRef + - tokenIntrospectionUrl + type: object + oidc: + properties: + endpoint: + description: Endpoint of the OIDC issuer. Authorino will + append to this value the well-known path to the OpenID + Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), + used to automatically discover the OpenID Connect configuration, + whose set of claims is expected to include (among others) + the "jkws_uri" claim. The value must coincide with the + value of the "iss" (issuer) claim of the discovered OpenID + Connect configuration. + type: string + ttl: + description: Decides how long to wait before refreshing + the OIDC configuration (in seconds). + type: integer + required: + - endpoint + type: object + plain: + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the authorization + JSON (e.g. ''context.request.http.host'') or a string + template with variable placeholders that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any patterns supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. The following string modifiers are available: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + and @base64:encode|decode.' + type: string + type: object + priority: + default: 0 + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to enforce this identity + config. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - value + properties: + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + required: + - name + type: object + type: array + metadata: + description: List of metadata source configs. Authorino fetches JSON + content from sources on this list on every request. + items: + description: 'The metadata config. Apart from "name", one of the + following parameters is required and only one of the following + parameters is allowed: "http", userInfo" or "uma".' + oneOf: + - properties: + name: {} + userInfo: {} + required: + - name + - userInfo + - properties: + name: {} + uma: {} + required: + - name + - uma + - properties: + name: {} + uma: {} + required: + - name + - http + properties: + cache: + description: Caching options for the external metadata fetched + when applying this config. Omit it to avoid caching metadata + from this source. + properties: + key: + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + http: + description: Generic HTTP interface to obtain authorization + metadata from a HTTP service. + properties: + body: + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + bodyParameters: + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + required: + - name + type: object + type: array + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. + properties: + in: + default: authorization_header + description: The location in the request where client + credentials shall be passed on requests authenticating + with this identity source/authentication mode. + enum: + - authorization_header + - custom_header + - query + - cookie + type: string + keySelector: + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. + type: string + required: + - keySelector + type: object + endpoint: + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + type: string + headers: + description: Custom headers in the HTTP request. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + required: + - name + type: object + type: array + method: + default: GET + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' + enum: + - GET + - POST + type: string + sharedSecretRef: + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + required: + - endpoint + type: object + metrics: + default: false + description: Whether this metadata config should generate individual + observability metrics + type: boolean + name: + description: The name of the metadata source. It can be used + to refer to the resolved metadata object in other configs. + type: string + priority: + default: 0 + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + uma: + description: User-Managed Access (UMA) source of resource data. + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the same + namespace, that stores client credentials to the resource + registration API of the UMA server. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + endpoint: + description: The endpoint of the UMA server. The value must + coincide with the "issuer" claim of the UMA config discovered + from the well-known uma configuration endpoint. + type: string + required: + - credentialsRef + - endpoint + type: object + userInfo: + description: OpendID Connect UserInfo linked to an OIDC identity + config of this same spec. + properties: + identitySource: + description: The name of an OIDC identity source included + in the "identity" section and whose OpenID Connect configuration + discovered includes the OIDC "userinfo_endpoint" claim. + type: string + required: + - identitySource + type: object + when: + description: Conditions for Authorino to apply this metadata + config. If omitted, the config will be applied for all requests. + If present, all conditions must match for the config to be + applied; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - value + properties: + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + required: + - name + type: object + type: array + patterns: + additionalProperties: + items: + properties: + operator: + description: 'The binary operator to be applied to the content + fetched from the authorization JSON, for comparison with + "value". Possible values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. + type: string + value: + description: The value of reference for the comparison with + the content fetched from the authorization JSON. If used + with the "matches" operator, the value must compile to a + valid Golang regex. + type: string + type: object + type: array + description: Named sets of JSON patterns that can be referred in `when` + conditionals and in JSON-pattern matching policy rules. + type: object + response: + description: List of response configs. Authorino gathers data from + the auth pipeline to build custom responses for the client. + items: + description: 'Dynamic response to return to the client. Apart from + "name", one of the following parameters is required and only one + of the following parameters is allowed: "wristband" or "json".' + properties: + cache: + description: Caching options for dynamic responses built when + applying this config. Omit it to avoid caching dynamic responses + for this config. + properties: + key: + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + json: + properties: + properties: + description: List of JSON property-value pairs to be added + to the dynamic response. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + required: + - name + type: object + type: array + required: + - properties + type: object + metrics: + default: false + description: Whether this response config should generate individual + observability metrics + type: boolean + name: + description: Name of the custom response. It can be used to + refer to the resolved response object in other configs. + type: string + priority: + default: 0 + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to enforce this custom + response config. If omitted, the config will be enforced for + all requests. If present, all conditions must match for the + config to be enforced; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - value + properties: + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + wrapper: + default: httpHeader + description: How Authorino wraps the response. Use "httpHeader" + (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" + to wrap the response as Envoy Dynamic Metadata + enum: + - httpHeader + - envoyDynamicMetadata + type: string + wrapperKey: + description: The name of key used in the wrapped response (name + of the HTTP header or property of the Envoy Dynamic Metadata + JSON). If omitted, it will be set to the name of the configuration. + type: string + wristband: + properties: + customClaims: + description: Any claims to be added to the wristband token + apart from the standard JWT claims (iss, iat, exp) added + by default. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, and @base64:encode|decode.' + type: string + type: object + required: + - name + type: object + type: array + issuer: + description: 'The endpoint to the Authorino service that + issues the wristband (format: ://:/, + where = /